]> granicus.if.org Git - apache/commitdiff
propose trailers fix, didn't make the cut for 2.4.10 because I had backpor troubles.
authorEric Covener <covener@apache.org>
Tue, 15 Jul 2014 19:15:14 +0000 (19:15 +0000)
committerEric Covener <covener@apache.org>
Tue, 15 Jul 2014 19:15:14 +0000 (19:15 +0000)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610816 13f79535-47bb-0310-9956-ffa450edef68

STATUS

diff --git a/STATUS b/STATUS
index 7707ba6b070d58d466669bf9302890ef16849cea..050468bb445d4c0c6aabd8e10eca912f4523c825 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -105,6 +105,17 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
 
+  *) SECURITY: CVE-2013-5704 (cve.mitre.org)
+     core: HTTP trailers could be used to replace HTTP headers
+     late during request processing, potentially undoing or
+     otherwise confusing modules that examined or modified
+     request headers earlier.  Adds "MergeTrailers" directive to restore
+     legacy behavior.  [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener]
+
+     trunk patch: http://svn.apache.org/r1610814
+     2.4.x patch: http://people.apache.org/~covener/patches/httpd-2.4.x-trailers.diff
+     +1: covener
+
    * mod_proxy_http: Avoid (unlikely) access to freed memory.
      trunk patch: http://svn.apache.org/r1599486
      2.4.x patch: trunk works